Share via

Configure a Certificate Template for Key Archival

Applies To: Windows Server 2008 R2

The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates are issued based on this template.

Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate template in order to protect users from data loss, but it can also be useful when applied to other types of certificates.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To configure a certificate template for key archival and recovery

  1. Open the Certificate Templates snap-in.

  2. In the details pane, right-click the certificate template that you want to change, and then click Duplicate Template.

  3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

  4. In Template, type a new template display name, and then modify any other optional properties as needed.

  5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, and then click OK.

  6. Under Group or user names, select the user or group names that you just added. Under Permissions, select the Read and Enroll check boxes, and if you want to automatically issue the certificate, also select the Autoenroll check box.


To implement autoenrollment, all three check boxes must be selected.

  1. On the Request Handling tab, select the Archive subject's encryption private key check box.

  2. If users already have EFS certificates that are not configured for key archival and recovery, click the Superseded Templates tab, click Add, and then click the name of the template that you want to replace.

  3. Click OK.

Users are not protected by key archival until they have enrolled for a certificate that has key recovery enabled. If they have identical certificates that were issued before key recovery was enabled, they are not covered by key archival. Clients must be re-enrolled to receive a certificate that is based on the changed template if they already have a valid certificate that is based on the old template. For more information about re-enrolling clients, see Re-Enroll All Certificate Holders (

Additional references